The malware’s C2 panel reveals a sophisticated operation, with stolen SMS messages methodically organized under tags such as “Banks” and “Yandex,” suggesting a targeted approach toward financial information and popular services. The presence of an unused WebViewActivity class is particularly concerning, as this component typically renders HTML content and is commonly leveraged in banking malware to display convincing phishing pages that harvest banking credentials or credit card information. Most critically, the “send_sms” command allows attackers to send SMS messages from the infected device to specified recipients with custom message text. Once installed, Gorilla establishes a persistent connection to its command and control (C2) infrastructure using WebSocket protocols, following the format “ws://$URL/ws/devices/?device_id=$android_id&platform=android” to maintain constant communication with its operators. A sophisticated new Android malware strain called “Gorilla” has emerged in the cybersecurity landscape, specifically designed to intercept SMS messages containing one-time passwords (OTPs). Initial analysis suggests that Gorilla primarily targets banking customers and users of popular services like Yandex, categorizing stolen SMS messages for easier exploitation by the attackers. The malware leverages critical Android permissions including READ_PHONE_STATE and READ_PHONE_NUMBERS to access SIM card information and retrieve phone numbers from infected devices. The “device_info” command extracts and transmits detailed information about the infected device to the attackers. This malicious software operates stealthily in the background, exploiting Android’s permission system to gain access to sensitive information on infected devices. Instead, the malware queries launcher intents to determine package names, application names, and versions, allowing it to gather information about installed applications while maintaining a lower profile. This categorization enables attackers to quickly identify and exploit valuable authentication codes and sensitive information contained within intercepted messages. The “update_settings” command, while currently appearing dormant as it only logs receipt without further action, likely enables remote configuration of the malware’s behavior. At its core, Gorilla operates through a series of background services, ensuring persistent operation even when the user isn’t actively engaging with the device. To comply with Android requirements, these services utilize the startForeground API along with the FOREGROUND_SERVICE permission to display a notification, effectively masking its malicious activity as legitimate system processes. Catalyst researchers identified that Gorilla employs an unusual technique to evade detection by avoiding the use of getInstalledPackages or getInstalledApplications APIs, which would require the REQUEST_INSTALLED_PACKAGES permission that might raise suspicion. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis.
This Cyber News was published on cybersecuritynews.com. Publication date: Sat, 19 Apr 2025 15:00:11 +0000